Quantcast
Grails Grails - dev

Question for Grails-Dev list - security related feature

classic Classic list List threaded Threaded
5 messages Options
Jonathan Andrew Ong
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Question for Grails-Dev list - security related feature

Jonathan Andrew Ong
Hi Everyone,

First of all, this is my first time to write to this list, as I've always been a 'lurker'. I want to know if this list is for discussion mostly on publishing / allowing a plugin to be published? Or can I discuss an idea here?

For the idea, basically, I've been looking for a way to secure individual field elements on-screen, using spring security.
Currently, the way I implement this is that I surround certain screen elements such as Approve buttons with the <sec:ifAnyGranted/ifAllGranted> tags. However, when certain rules change, such as a manager can now approve certain documents, I'd have to change the gsp, recompile and redeploy. That would mean it is non-configurable.

Is there a plugin already that can do this, or in anyway spring-security plugins can do this? If not, I was thinking if there's a way to intercept the html that is generated upon rendering a view, and apply it there. This could also be created as a plugin to allow users to configure the security of elements.

An element could have a tag to identify its ID, such as:

<a href="www.google.com" security-id="google-button"> Go to Google</a>

which can be secured similar to requestmaps?


Hoping for some feedback.

Onats
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Aaron Zirbes
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Question for Grails-Dev list - security related feature

Aaron Zirbes
In light of a recent talk I saw at GRuconf.us, This seems like a prime example of a combination of the fields plugin with some combination of spring-security-* plugin(s).  I know that the Spring Security ACL plugin does something in the ballpark, but it's aimed at doing service method security.  If you have enough control over the application to ensure that all field access is done via the fields plugin, then I think that is the way to go.

If you have some success, a blog post recap might be nice as I haven't seen anyone use it in that context yet.
--
Aaron

On Thu, Aug 2, 2012 at 9:04 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Everyone,

First of all, this is my first time to write to this list, as I've always been a 'lurker'. I want to know if this list is for discussion mostly on publishing / allowing a plugin to be published? Or can I discuss an idea here?

For the idea, basically, I've been looking for a way to secure individual field elements on-screen, using spring security.
Currently, the way I implement this is that I surround certain screen elements such as Approve buttons with the <sec:ifAnyGranted/ifAllGranted> tags. However, when certain rules change, such as a manager can now approve certain documents, I'd have to change the gsp, recompile and redeploy. That would mean it is non-configurable.

Is there a plugin already that can do this, or in anyway spring-security plugins can do this? If not, I was thinking if there's a way to intercept the html that is generated upon rendering a view, and apply it there. This could also be created as a plugin to allow users to configure the security of elements.

An element could have a tag to identify its ID, such as:

<a href="www.google.com" security-id="google-button"> Go to Google</a>

which can be secured similar to requestmaps?


Hoping for some feedback.

Onats
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Jonathan Andrew Ong
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Question for Grails-Dev list - security related feature

Jonathan Andrew Ong
Hi Aaron,

If its tied to the fields plugin, then that would mean, that it will have a dependency on it. Furthermore, what about screen elements, say buttons and sections (I am thinking of this in my own application), that I want to restrict from regular users. 

For Spring Security ACL, I believe this is on a  per record basis?

Onats

On Aug 3, 2012, at 11:14 AM, Aaron Zirbes <[hidden email]> wrote:

In light of a recent talk I saw at GRuconf.us, This seems like a prime example of a combination of the fields plugin with some combination of spring-security-* plugin(s).  I know that the Spring Security ACL plugin does something in the ballpark, but it's aimed at doing service method security.  If you have enough control over the application to ensure that all field access is done via the fields plugin, then I think that is the way to go.

If you have some success, a blog post recap might be nice as I haven't seen anyone use it in that context yet.
--
Aaron

On Thu, Aug 2, 2012 at 9:04 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Everyone,

First of all, this is my first time to write to this list, as I've always been a 'lurker'. I want to know if this list is for discussion mostly on publishing / allowing a plugin to be published? Or can I discuss an idea here?

For the idea, basically, I've been looking for a way to secure individual field elements on-screen, using spring security.
Currently, the way I implement this is that I surround certain screen elements such as Approve buttons with the <sec:ifAnyGranted/ifAllGranted> tags. However, when certain rules change, such as a manager can now approve certain documents, I'd have to change the gsp, recompile and redeploy. That would mean it is non-configurable.

Is there a plugin already that can do this, or in anyway spring-security plugins can do this? If not, I was thinking if there's a way to intercept the html that is generated upon rendering a view, and apply it there. This could also be created as a plugin to allow users to configure the security of elements.

An element could have a tag to identify its ID, such as:

<a href="www.google.com" security-id="google-button"> Go to Google</a>

which can be secured similar to requestmaps?


Hoping for some feedback.

Onats
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Aaron Zirbes
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Question for Grails-Dev list - security related feature

Aaron Zirbes
As far as view sections go, I think any implementation will leave you stuck with the usual spring security <sec:ifAnyGranted role="...">..</sec:ifAnyGranted> syntax.  I don't know anything that would magically get that for you in a view.  Buttons included.

With buttons you could @Secured(...) the actions, to protect them, but to prevent displaying the buttons, you are once again left with <sec:ifAnyGranted />.  I don't know of any plugin, extension or even have an idea of an implementation that might be intuitive enough to provide the type of data -> action -> view coverage you are looking for.

The best I can suggest is the fields plugin as it offers you custom templates per field which can be tied to a specific domain class, and if you religiously use the fields rendering, this will get you a long ways.  The rest of it is why we're all so busy.

--
Aaron

On Thu, Aug 2, 2012 at 10:48 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Aaron,

If its tied to the fields plugin, then that would mean, that it will have a dependency on it. Furthermore, what about screen elements, say buttons and sections (I am thinking of this in my own application), that I want to restrict from regular users. 

For Spring Security ACL, I believe this is on a  per record basis?

Onats

On Aug 3, 2012, at 11:14 AM, Aaron Zirbes <[hidden email]> wrote:

In light of a recent talk I saw at GRuconf.us, This seems like a prime example of a combination of the fields plugin with some combination of spring-security-* plugin(s).  I know that the Spring Security ACL plugin does something in the ballpark, but it's aimed at doing service method security.  If you have enough control over the application to ensure that all field access is done via the fields plugin, then I think that is the way to go.

If you have some success, a blog post recap might be nice as I haven't seen anyone use it in that context yet.
--
Aaron

On Thu, Aug 2, 2012 at 9:04 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Everyone,

First of all, this is my first time to write to this list, as I've always been a 'lurker'. I want to know if this list is for discussion mostly on publishing / allowing a plugin to be published? Or can I discuss an idea here?

For the idea, basically, I've been looking for a way to secure individual field elements on-screen, using spring security.
Currently, the way I implement this is that I surround certain screen elements such as Approve buttons with the <sec:ifAnyGranted/ifAllGranted> tags. However, when certain rules change, such as a manager can now approve certain documents, I'd have to change the gsp, recompile and redeploy. That would mean it is non-configurable.

Is there a plugin already that can do this, or in anyway spring-security plugins can do this? If not, I was thinking if there's a way to intercept the html that is generated upon rendering a view, and apply it there. This could also be created as a plugin to allow users to configure the security of elements.

An element could have a tag to identify its ID, such as:

<a href="www.google.com" security-id="google-button"> Go to Google</a>

which can be secured similar to requestmaps?


Hoping for some feedback.

Onats
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Nathan Wells
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Question for Grails-Dev list - security related feature

Nathan Wells
To answer the first question, I think this is a better topic for the user list. 

Secondly, my thought is that you want to secure UI elements on a per-user basis, and do so such that the settings could be changed at runtime. The way to do this is by defining very granular roles, and then providing a UI to grant those roles to specific users.

Nathan Wells


On Thu, Aug 2, 2012 at 10:24 PM, Aaron Zirbes <[hidden email]> wrote:
As far as view sections go, I think any implementation will leave you stuck with the usual spring security <sec:ifAnyGranted role="...">..</sec:ifAnyGranted> syntax.  I don't know anything that would magically get that for you in a view.  Buttons included.

With buttons you could @Secured(...) the actions, to protect them, but to prevent displaying the buttons, you are once again left with <sec:ifAnyGranted />.  I don't know of any plugin, extension or even have an idea of an implementation that might be intuitive enough to provide the type of data -> action -> view coverage you are looking for.

The best I can suggest is the fields plugin as it offers you custom templates per field which can be tied to a specific domain class, and if you religiously use the fields rendering, this will get you a long ways.  The rest of it is why we're all so busy.

--
Aaron


On Thu, Aug 2, 2012 at 10:48 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Aaron,

If its tied to the fields plugin, then that would mean, that it will have a dependency on it. Furthermore, what about screen elements, say buttons and sections (I am thinking of this in my own application), that I want to restrict from regular users. 

For Spring Security ACL, I believe this is on a  per record basis?

Onats

On Aug 3, 2012, at 11:14 AM, Aaron Zirbes <[hidden email]> wrote:

In light of a recent talk I saw at GRuconf.us, This seems like a prime example of a combination of the fields plugin with some combination of spring-security-* plugin(s).  I know that the Spring Security ACL plugin does something in the ballpark, but it's aimed at doing service method security.  If you have enough control over the application to ensure that all field access is done via the fields plugin, then I think that is the way to go.

If you have some success, a blog post recap might be nice as I haven't seen anyone use it in that context yet.
--
Aaron

On Thu, Aug 2, 2012 at 9:04 PM, Jonathan Andrew Ong <[hidden email]> wrote:
Hi Everyone,

First of all, this is my first time to write to this list, as I've always been a 'lurker'. I want to know if this list is for discussion mostly on publishing / allowing a plugin to be published? Or can I discuss an idea here?

For the idea, basically, I've been looking for a way to secure individual field elements on-screen, using spring security.
Currently, the way I implement this is that I surround certain screen elements such as Approve buttons with the <sec:ifAnyGranted/ifAllGranted> tags. However, when certain rules change, such as a manager can now approve certain documents, I'd have to change the gsp, recompile and redeploy. That would mean it is non-configurable.

Is there a plugin already that can do this, or in anyway spring-security plugins can do this? If not, I was thinking if there's a way to intercept the html that is generated upon rendering a view, and apply it there. This could also be created as a plugin to allow users to configure the security of elements.

An element could have a tag to identify its ID, such as:

<a href="www.google.com" security-id="google-button"> Go to Google</a>

which can be secured similar to requestmaps?


Hoping for some feedback.

Onats
---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email
Loading...
Powered by Nabble Edit this page